help with these viruses

Started by michaeldan, Aug 21 2007 12:03 AM

You cannot reply to this topic

11 replies to this topic

#1 OFFLINE michaeldan

Newbie

Members
9 posts

Posted 21 August 2007 - 12:03 AM

these are the viruses

adware.Newdotnet.U
BehavesLike:Win32.Malware
Trojan.conhook.Y
Trojan.Downloader.Small.sv

Back to top

#2 OFFLINE rridgely

I hate computers

Moderators
8,858 posts

Gender:Male

Posted 21 August 2007 - 12:12 AM

Sorry but it doesn't work that way. Your going to have to post a hijackthis log, then we can tell you what to do.
Virus names mean nothing sadly because they change company to company and they can affect each computer differently.

Back to top

#3 OFFLINE michaeldan

Newbie

Members
9 posts

Posted 21 August 2007 - 12:14 AM

rridgely, on Aug 20 2007, 05:12 PM, said:

Sorry but it doesn't work that way. Your going to have to post a hijackthis log, then we can tell you what to do.
Virus names mean nothing sadly because they change company to company and they can affect each computer differently.

How do I post a hijackthis log?

Back to top

#4 OFFLINE rridgely

I hate computers

Moderators
8,858 posts

Gender:Male

Posted 21 August 2007 - 12:26 AM

Download hijackthis here:
http://www.filehippo...oad_hijackthis/

1. Install it
2. Open it up
3. Press "scan and save log file".
4. Copy and paste the notepad file onto the forum in this topic for me to see.

Back to top

#5 OFFLINE michaeldan

Newbie

Members
9 posts

Posted 21 August 2007 - 12:43 AM

rridgely, on Aug 20 2007, 05:26 PM, said:

Download hijackthis here:
http://www.filehippo...oad_hijackthis/

1. Install it
2. Open it up
3. Press "scan and save log file".
4. Copy and paste the notepad file onto the forum in this topic for me to see.

Thanks. I think this is it.
<HTML>
<HEAD>
<TITLE>BitDefender Online Scanner -Scan Report</TITLE>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<meta name="generator" content="Namo WebEditor v5.0(Trial)">
</HEAD>
<BODY BGCOLOR=#FFFFFF leftmargin="10" marginwidth="0" topmargin="20" marginheight="0" >

<table align="center" border="0" cellpadding="0" cellspacing="0" width="90%">
<tr>
<td width="458">
BitDefender
Online Scanner
</td>
<td width="40%">
 
</td>
<td width="10%">
 
</td>
</tr>
<tr>
<td colspan="3" width="912">
Scan report generated
at: Mon, Aug 20, 2007 - 17:36:38
</td>
</tr>

<tr>
<td width="458">
 
</td>
<td width="40%">
 
</td>
<td width="10%">
 
</td>
</tr>

<tr>
<td width="458">
Scan
path: A:\;C:\;D:\;E:\;
</td>
<td width="40%">
 
</td>
<td width="10%">
 
</td>
</tr>

<tr>
<td width="458">
 
</td>
<td width="40%">
 
</td>
<td width="10%">
 
</td>
</tr>

<tr>
<td width="458">
<table border="1" cellspacing="0" bordercolordark="white" bordercolorlight="black" width="100%">
<tr>
<td width="451" colspan="2" bgcolor="#CCCCCC">
Statistics
</td>
</tr>
<tr>
<td width="57%">
Time
</td>
<td width="43%" align="right">
00:18:43
</td>
</tr>
<tr>
<td width="57%">
Files
</td>
<td width="43%" align="right">
66088
</td>
</tr>
<tr>
<td width="57%">
Folders
</td>
<td width="43%" align="right">
3006
</td>
</tr>
<tr>
<td width="57%">
Boot Sectors
</td>
<td width="43%" align="right">
2
</td>
</tr>
<tr>
<td width="57%">
Archives
</td>
<td width="43%" align="right">
737
</td>
</tr>
<tr>
<td width="57%">
Packed Files
</td>
<td width="43%" align="right">
4278
</td>
</tr>
</table>
</td>
<td width="40%">
 
</td>
<td width="10%">
 
</td>
</tr>

<tr>
<td width="458">
<table border="1" cellspacing="0" bordercolordark="white" bordercolorlight="black" width="100%">
<tr>
<td width="451" colspan="2" bgcolor="#CCCCCC">
Results
</td>
</tr>
<tr>
<td width="57%">
Identified Viruses 
</td>
<td width="43%" align="right">
2
</td>
</tr>
<tr>
<td width="57%">
Infected Files 
</td>
<td width="43%" align="right">
9
</td>
</tr>
<tr>
<td width="57%">
Suspect Files 
</td>
<td width="43%" align="right">
0
</td>
</tr>
<tr>
<td width="57%">
Warnings
</td>
<td width="43%" align="right">
0
</td>
</tr>
<tr>
<td width="57%">
Disinfected
</td>
<td width="43%" align="right">
0
</td>
</tr>
<tr>
<td width="57%">
Deleted Files
</td>
<td width="43%" align="right">
1
</td>
</tr>
</table>
</td>
<td width="40%">
 
</td>
<td width="10%">
 
</td>
</tr>

<tr>
<td width="458">
<table border="1" cellspacing="0" bordercolordark="white" bordercolorlight="black" width="100%">
<tr>
<td width="451" colspan="2" bgcolor="#CCCCCC">
Engines Info
</td>
</tr>
<tr>
<td width="57%">
Virus Definitions
</td>
<td width="43%" align="right">
749384
</td>
</tr>
<tr>
<td width="57%">
Engine build
</td>
<td width="43%" align="right">
AVCORE v1.0 (build 2411) (i386) (Jul 9 2007 12:10:22)
</td>
</tr>
<tr>
<td width="57%">
Scan plugins
</td>
<td width="43%" align="right">
14
</td>
</tr>
<tr>
<td width="57%">
Archive plugins
</td>
<td width="43%" align="right">
37
</td>
</tr>
<tr>
<td width="57%">
Unpack plugins
</td>
<td width="43%" align="right">
6
</td>
</tr>
<tr>
<td width="57%">
E-mail plugins
</td>
<td width="43%" align="right">
6
</td>
</tr>
<tr>
<td width="57%">
System plugins
</td>
<td width="43%" align="right">
1
</td>
</tr>
</table>
</td>
<td width="40%">
 
</td>
<td width="10%">
 
</td>
</tr>

<tr>
<td width="458">
<table border="1" cellspacing="0" bordercolordark="white" bordercolorlight="black" width="100%">
<tr>
<td width="451" colspan="2" bgcolor="#CCCCCC">
Scan Settings
</td>
</tr>
<tr>
<td width="57%">
First Action
</td>
<td width="43%" align="right">
Disinfect
</td>
</tr>
<tr>
<td width="57%">
Second Action
</td>
<td width="43%" align="right">
Delete
</td>
</tr>
<tr>
<td width="57%">
Heuristics
</td>
<td width="43%" align="right">
Yes
</td>
</tr>
<tr>
<td width="57%">
Enable Warnings
</td>
<td width="43%" align="right">
Yes
</td>
</tr>
<tr>
<td width="57%">
Scanned Extensions
</td>
<td width="43%" align="right">
*;
</td>
</tr>

<tr>
<td width="57%">
Exclude Extensions
</td>
<td width="43%" align="right">
 
</td>
</tr>
<tr>
<td width="57%">
Scan Emails
</td>
<td width="43%" align="right">
Yes
</td>
</tr>
<tr>
<td width="57%">
Scan Archives
</td>
<td width="43%" align="right">
Yes
</td>
</tr>
<tr>
<td width="57%">
Scan Packed
</td>
<td width="43%" align="right">
Yes
</td>
</tr>
<tr>
<td width="57%">
Scan Files
</td>
<td width="43%" align="right">
Yes
</td>
</tr>
<tr>
<td width="57%">
Scan Boot
</td>
<td width="43%" align="right">
Yes
</td>
</tr>
</table>
</td>
<td width="40%">
 
</td>
<td width="10%">
 
</td>
</tr>

<tr>
<td colspan=2>  
<table border="1" cellspacing="0" bordercolordark="white" bordercolorlight="black" width="100%">
<tr>
<td width="252" bgcolor="#CCCCCC">
Scanned File
</td>
<td width="195" bgcolor="#CCCCCC" align="right">
 Status
</td>
</tr>
<tr>
<td width="57%">
C:\Program Files\NewDotNet\newdotnet7_48.dll
</td>
<td width="43%" align="left">
Detected with: Adware.Newdotnet.U
</td>
</tr><tr>
<td width="57%">
C:\Program Files\NewDotNet\newdotnet7_48.dll
</td>
<td width="43%" align="left">
Disinfection failed
</td>
</tr><tr>
<td width="57%">
C:\Program Files\NewDotNet\newdotnet7_48.dll
</td>
<td width="43%" align="left">
Delete failed
</td>
</tr><tr>
<td width="57%">
C:\System Volume Information\_restore{F467EDC9-EA9B-4DA6-9BC0-195160CB293B}\RP0\A0000028.exe
</td>
<td width="43%" align="left">
Detected with: Adware.Newdotnet.U
</td>
</tr><tr>
<td width="57%">
C:\System Volume Information\_restore{F467EDC9-EA9B-4DA6-9BC0-195160CB293B}\RP0\A0000028.exe
</td>
<td width="43%" align="left">
Disinfection failed
</td>
</tr><tr>
<td width="57%">
C:\System Volume Information\_restore{F467EDC9-EA9B-4DA6-9BC0-195160CB293B}\RP0\A0000028.exe
</td>
<td width="43%" align="left">
Deleted
</td>
</tr><tr>
<td width="57%">
C:\WINDOWS\system32\eqcjarvo.dll
</td>
<td width="43%" align="left">
Infected with: Trojan.Conhook.Y
</td>
</tr><tr>
<td width="57%">
C:\WINDOWS\system32\eqcjarvo.dll
</td>
<td width="43%" align="left">
Disinfection failed
</td>
</tr><tr>
<td width="57%">
C:\WINDOWS\system32\eqcjarvo.dll
</td>
<td width="43%" align="left">
Delete failed
</td>
</tr><tr>
<td width="57%">
C:\WINDOWS\system32\hipihip.dll
</td>
<td width="43%" align="left">
Infected with: Trojan.Conhook.Y
</td>
</tr><tr>
<td width="57%">
C:\WINDOWS\system32\hipihip.dll
</td>
<td width="43%" align="left">
Disinfection failed
</td>
</tr><tr>
<td width="57%">
C:\WINDOWS\system32\hipihip.dll
</td>
<td width="43%" align="left">
Delete failed
</td>
</tr><tr>
<td width="57%">
C:\WINDOWS\system32\ittoymmg.dll
</td>
<td width="43%" align="left">
Infected with: Trojan.Conhook.Y
</td>
</tr><tr>
<td width="57%">
C:\WINDOWS\system32\ittoymmg.dll
</td>
<td width="43%" align="left">
Disinfection failed
</td>
</tr><tr>
<td width="57%">
C:\WINDOWS\system32\ittoymmg.dll
</td>
<td width="43%" align="left">
Delete failed
</td>
</tr><tr>
<td width="57%">
C:\WINDOWS\system32\lssgkqni.dll
</td>
<td width="43%" align="left">
Infected with: Trojan.Conhook.Y
</td>
</tr><tr>
<td width="57%">
C:\WINDOWS\system32\lssgkqni.dll
</td>
<td width="43%" align="left">
Disinfection failed
</td>
</tr><tr>
<td width="57%">
C:\WINDOWS\system32\lssgkqni.dll
</td>
<td width="43%" align="left">
Delete failed
</td>
</tr><tr>
<td width="57%">
C:\WINDOWS\system32\tfwsibfb.dll
</td>
<td width="43%" align="left">
Infected with: Trojan.Conhook.Y
</td>
</tr><tr>
<td width="57%">
C:\WINDOWS\system32\tfwsibfb.dll
</td>
<td width="43%" align="left">
Disinfection failed
</td>
</tr><tr>
<td width="57%">
C:\WINDOWS\system32\tfwsibfb.dll
</td>
<td width="43%" align="left">
Delete failed
</td>
</tr><tr>
<td width="57%">
C:\WINDOWS\system32\thebdihe.dll
</td>
<td width="43%" align="left">
Infected with: Trojan.Conhook.Y
</td>
</tr><tr>
<td width="57%">
C:\WINDOWS\system32\thebdihe.dll
</td>
<td width="43%" align="left">
Disinfection failed
</td>
</tr><tr>
<td width="57%">
C:\WINDOWS\system32\thebdihe.dll
</td>
<td width="43%" align="left">
Delete failed
</td>
</tr><tr>
<td width="57%">
C:\WINDOWS\system32\vgotaqwr.dll
</td>
<td width="43%" align="left">
Infected with: Trojan.Conhook.Y
</td>
</tr><tr>
<td width="57%">
C:\WINDOWS\system32\vgotaqwr.dll
</td>
<td width="43%" align="left">
Disinfection failed
</td>
</tr><tr>
<td width="57%">
C:\WINDOWS\system32\vgotaqwr.dll
</td>
<td width="43%" align="left">
Delete failed
</td>
</tr>
</table>
</td>

<td width="10%">
 
</td>
</tr>

<tr>
<td width="458">
 
</td>
<td width="40%">
 
</td>
<td width="10%">
 
</td>
</tr>

<tr>
<td width="458">
 
</td>
<td width="40%">
 
</td>
<td width="10%">
 
</td>
</tr>

</table>
 

</body>
</html>

Back to top

#6 OFFLINE rridgely

I hate computers

Moderators
8,858 posts

Gender:Male

Posted 21 August 2007 - 12:44 AM

No thats a bitdefender online scan report. I want a hijackthis log.
Just follow the instructions I posted.

Back to top

#7 OFFLINE michaeldan

Newbie

Members
9 posts

Posted 21 August 2007 - 12:53 AM

rridgely, on Aug 20 2007, 05:44 PM, said:

No thats a bitdefender online scan report. I want a hijackthis log.
Just follow the instructions I posted.

Sorry, when I try to run that scan, I get an error message when I try to install the scan. The error message is the same problem
I've been having all along "not a valid win32 application"

The only scan that I don't get that error was the one I just sent to you. the bitdefender

Back to top

#8 OFFLINE rridgely

I hate computers

Moderators
8,858 posts

Gender:Male

Posted 21 August 2007 - 01:21 AM

The only people that should be posting in this topic is me, michaeldan, or another spyware mod. No one else.

Download this file - combofix.exe and save it to your desktop.
Double click combofix.exe & follow the prompts.
When it's finished, it will produce a log of what it found. Please post the contents of that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running as it may cause it to stall

Back to top

#9 OFFLINE michaeldan

Newbie

Members
9 posts

Posted 21 August 2007 - 01:32 AM

rridgely, on Aug 20 2007, 06:21 PM, said:

The only people that should be posting in this topic is me, michaeldan, or another spyware mod. No one else.

Download this file - combofix.exe and save it to your desktop.
Double click combofix.exe & follow the prompts.
When it's finished, it will produce a log of what it found. Please post the contents of that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running as it may cause it to stall

Sorry to be a pain, but after I have saved it to the desktop and I doubleclick combofix.exe I get the same
error message ".exe is not a valid win32 application"

Back to top

#10 OFFLINE rridgely

I hate computers

Moderators
8,858 posts

Gender:Male

Posted 21 August 2007 - 01:33 AM

Nah its ok. I figured that would happen.
Run this since you seem to be able to use online scans:

Run Kaspersky WebScanner

Please go HERE and click Kaspersky Online Scanner
Read and Accept the Agreement
You will be promted to install an ActiveX component from Kaspersky, Click Yes.
If you see a Windows dialog asking if you want to install this software, click the Install button.
The program will launch and then begin downloading the latest definition files,
When the "Update progress" line changes to "Ready" and the "NEXT ->" button becomes available, please click on it.
Click on the Scan Settings button, and in the next window select the Extended database, and click Ok.
Under "Please select a target to scan:", click My Computer to start the scan.
When the scan is finished, click the "Save as Text" button, and save the file as kavscan.txt to your Desktop, close the Kaspersky On-line Scanner window.
Paste kaspersky log onto forum.

Back to top

#11 OFFLINE michaeldan

Newbie

Members
9 posts

Posted 21 August 2007 - 02:22 AM

rridgely, on Aug 20 2007, 06:33 PM, said:

Nah its ok. I figured that would happen.
Run this since you seem to be able to use online scans:

Run Kaspersky WebScanner

Please go HERE and click Kaspersky Online Scanner
Read and Accept the Agreement
You will be promted to install an ActiveX component from Kaspersky, Click Yes.
If you see a Windows dialog asking if you want to install this software, click the Install button.
The program will launch and then begin downloading the latest definition files,
When the "Update progress" line changes to "Ready" and the "NEXT ->" button becomes available, please click on it.
Click on the Scan Settings button, and in the next window select the Extended database, and click Ok.
Under "Please select a target to scan:", click My Computer to start the scan.
When the scan is finished, click the "Save as Text" button, and save the file as kavscan.txt to your Desktop, close the Kaspersky On-line Scanner window.
Paste kaspersky log onto forum.

ok here we go
hope this helps
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Monday, August 20, 2007 7:18:19 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 1 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 21/08/2007
Kaspersky Anti-Virus database records: 386285
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 29000
Number of viruses found: 3
Number of infected objects: 4
Number of suspicious objects: 0
Duration of the scan process: 00:25:20

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Owner\ntuser.dat.LOG Object is locked skipped
C:\Program Files\NewDotNet\newdotnet7_48.dll Infected: not-a-virus:AdWare.Win32.NewDotNet.e skipped
C:\Program Files\NewDotNet\uninstall6_38.exe Infected: not-a-virus:AdWare.Win32.NewDotNet skipped
C:\System Volume Information\_restore{F467EDC9-EA9B-4DA6-9BC0-195160CB293B}\RP0\change.log Object is locked skipped
C:\WINDOWS\Debug\oakley.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\NDNuninstall6_38.exe Infected: not-a-virus:AdWare.Win32.NewDotNet skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{E6A710F1-9450-4031-B21C-A66C9276E700}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat Object is locked skipped
C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\WINDOWS\system32\q80yh7.exe Infected: Backdoor.Win32.Small.na skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

Back to top

#12 OFFLINE rridgely

I hate computers

Moderators
8,858 posts

Gender:Male

Posted 21 August 2007 - 02:35 AM

Save this file to your desktop

http://securityrespo.../UnHookExec.inf

Right click the file and choose Install (This is a small file. It does not display any notice or boxes when you run it.)

Then try the HijackThis or Combofix files again, if you still get the error then Can you try clearing your temporary internet files and downloading the files again

To empty the Temp folder and the Temporary Internet Files folder, use the Disk Cleanup tool.

Click Start, point to Programs, point to Accessories, point to System Tools, and then click Disk Cleanup.
Click C: or click the drive where Windows XP is installed, and then click OK.
Click to select the Temporary files check box.
Click OK, and then click Yes to confirm the deletion.

If you have CCleaner installed then also run that to clear any remaining temp files

Then delete the HijackThis.exe and Combofix.exe and download them again, you can download the latest HijackThis from here so it maybe worth trying this version and see if you still get the error

http://www.trendsecure.com/portal/en-US/th.../HJTInstall.exe

If you do can you try them in Safe Mode

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.

Once in Safe Mode, try running the tools and see if it shows the same error's then reboot back to Normal mode by restarting the pc.

Iexplore.exe must be able to open as well as other Windows .exe files with you running online scans and posting on here so its strange that HijackThis.exe & Combofix.exe will not run, Does this happen with running any other programs you have installed or just those two files ?

Let us know if its the same in Safe Mode or if any of the above steps fix the problem, if not then let us know if other programs you have installed are running ok

Cheers

Back to top

Back to Spyware Hell